Bastille Discovers Emergency Alert Siren System Vulnerability; Millions May Be at Risk

SAN FRANCISCO, Calif. – April 10, 2018 – Bastille, the leader in enterprise threat detection through software-defined radio, today unveiled SirenJack, a vulnerability it found in emergency alert systems supplied by ATI Systems, one of the leading suppliers of warning sirens in the USA. ATI customers include the City of San Francisco, other large urban and rural communities, military installations, universities, and industrial sites including oil and nuclear power generation plants, potentially affecting millions of people. Featured customers on the company’s website include One World Trade Center, Indian Point Energy Center nuclear power station, UMass Amherst, and the West Point Military Academy. Bastille originally found the SirenJack vulnerability at the ATI installation in the City of San Francisco, and confirmed it at a second installation, and urges all ATI customers to contact ATI to investigate whether their system is affected.

The SirenJack vulnerability can be exploited remotely via radio frequencies to activate all the sirens at will and trigger false alarms with the attendant chaos and panic. The Bastille Research Team discovered that an unencrypted and therefore insecure radio protocol controls the ATI sirens it monitored. This unencrypted protocol allows a bad actor, which could be an individual, hacktivist, terrorist, or hostile nation state, to find the radio frequency assigned to a system, craft malicious activation messages, and transmit them from their own radio to set off the system.

“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Chris Risley, CEO, Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”

Noted Bastille researcher Balint Seeber began the SirenJack investigation in 2016 in San Francisco, after noticing that the city’s Outdoor Public Warning System used RF communications. Upon further analysis of the radio protocol, Balint determined that the commands were not encrypted, and that the system was therefore vulnerable to forgery of system commands and malicious activation.

The public relies on emergency warning systems for notification of legitimate threats. Warning sirens are used globally to notify about natural disasters including tornadoes, tsunamis, earthquakes, hurricanes, floods, fire, mudslides, thunderstorms, and volcanic eruptions; man-made disasters including nuclear accidents, chemical spills, oil refinery leaks, and gas leaks; public emergencies including active shooter situations, evacuation warnings, and terrorist attacks; and in times of war including air raids, bombings, and missile alerts. False alarms result in needless panic and concern, as well as increasing distrust in these systems, as seen in the 2017 Dallas siren hacking incident that set off over 150 emergency sirens citywide for more than 90 minutes. In 2018, the emergency alerting system in Hawaii was triggered by human error, and the population was erroneously panicked.

“During emergencies, cell tower-based public alert systems have been shown to fail. Many citizens have ‘cut the cord’ and cannot be contacted via a reverse 911-phone system. Consequently, warning sirens play a crucial role as they are the only truly reliable method to alert a population en-mass of a public safety event,” said Balint Seeber, Director of Vulnerability Research, Bastille. “The SirenJack vulnerability underscores the need to make emergency alert systems stronger than ever, as hackers are constantly probing critical infrastructure, especially those using insecure RF-based protocols, to infiltrate and carry out potential attacks.”

Bastille was informed that ATI Systems was working to create a patch and was making it available to the City of San Francisco. Bastille was not asked to test the patch and has not been able to verify its efficacy. “ATI is fully supportive of all of our clients and will be on standby if anyone is concerned about hacking or vulnerabilities in their system,” said Dr. Ray Bassiouni, President and CEO of ATI Systems. A detailed official statement from ATI can be found at www.sirenjack.com.